Follow:

You have been re-routed to the Worm:Win32/Ramnit.A write up because Worm%3aWin32%2fRamnit.A has been renamed to Worm:Win32/Ramnit.A
 

Worm:Win32/Ramnit.A


Microsoft security software detects and removes this threat.
 
This threat can download other malware, including Virus:Win32/Ramnit.A!dll.
 
It is installed on your PC by Virus:Win32/Ramnit.A.


What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation
Worm:Win32/Ramnit.A copies itself to %ProgramFiles%\microsoft\desktoplayer.exe.
 
It also creates a mutex named "KyUffThOkYwRRtgPP".
Payload
Injects code
 
Worm:Win32/Ramnit.A launches the default web browser and injects code to it.
 
The injected code may be detected as Virus:Win32/Ramnit.A!dll, which contains the file infection functionality.
 
See the Virus:Win32/Ramnit.A!dll description for more information.
 
Analysis by Chun Feng

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    %program_files%\microsoft\desktoplayer.exe

Prevention


Alert level: Severe
First detected by definition: 1.87.465.0
Latest detected by definition: 1.191.563.0 and higher
First detected on: Jul 23, 2010
This entry was first published on: Aug 10, 2010
This entry was updated on: Oct 29, 2014

This threat is also detected as:
  • Packed.Win32.Krap.hm (Kaspersky)
  • Trojan horse SHeur3.ANKJ (AVG)
  • TR/Crypt.ZPACK.Gen (Avira)
  • Win32/Ramnit.A (CA)
  • Packed.Win32.Krap (Ikarus)
  • Trj/Krap.Y (Panda)
  • Mal/Zbot-U (Sophos)
  • Trojan.Win32.Generic!BT (Sunbelt Software)